Johannesburg, 30 Sep 2013
There is a growing understanding within organisations of the security risk posed by privileged accounts.
As a result, a number of products have emerged to assist businesses not only in discovering the privileged accounts that do exist, but also to help with auditing the state of these accounts and monitoring the usage of these accounts.
In this way, they can ensure that passwords are changed regularly and that only those who have been assigned access to use these privileged accounts can do so, says Gerard Taylor, senior consultant at Ubusha Technologies.
However, the full life cycle of a privileged account involves much more than mere password and usage management; it does, in fact, need to explain and substantiate the account from its inception, right through to its de-provisioning.
This is critical, since there are multiple instances of privileged accounts virtually arriving in a corporate system in secret, without management even being aware of their extent or existence.
This is due to the simple fact that, in the life cycle of a business, many systems and applications are not installed at the corporate level, but are instead implemented by individual departments or business units.
Typically in such a situation, the privileged account is created in order to implement an application. These applications may be Web applications, client server applications or appear to be standalone applications.
They do, however, all have one thing in common - they will require some level of privileged access to be installed and may even need a service account to run. They may also have internal privileged accounts to connect to databases or data stores.
The trouble is that because the account is not linked to a specific accountable person, there is every likelihood that unless effective life cycle management is in place, the account may remain on the system, long after the application it was created for has fallen into disuse. In addition, it is often the case that multiple users utilise the account, which makes an effective audit trail difficult.
It is therefore obvious that businesses need to ensure that there is a means for identifying not only who is using a given account at any one time, but also what they are using it for. Several software applications, currently available, can help organisations manage this aspect of security around service accounts.
Managing the existence of the account itself
While it is all good and well to manage both the users and their access to a privileged account according to the 'when, where and how' principle, and it is equally important to manage the auditing, permissions and usage aspects, the area where most companies fail is with managing the existence of the account itself.
It is this area where many companies - even those that have otherwise effective password and assignation controls - fail, in that they do not have the necessary means to understand what accounts have been opened and whether such accounts are still in use or should be de-provisioned, as the life cycle of the specific application has expired. Failure to de-provision accounts upon an application's life cycle expiry creates a range of risks for an organisation.
Not only is there the matter of the overwhelming amount of clutter caused by multiple accounts existing that are no longer in actual use, but more importantly, there is the massive risk such accounts pose to an organisation's security.
In a business where a vast number of privileged accounts have been enabled, there arises a situation where maybe dozens of employees have, over time, made use of each of these accounts.
That means large numbers of people have ready access to the passwords of these accounts and are well aware of the permissions and requirements involved in accessing the accounts.
It is inevitable that some of these people will no longer be working for the organisation, and yet they may still have access to these accounts, and through such privileged access, can easily gain access to other accounts within the organisation, should they wish to cause mischief.
This clearly poses an enormous risk to the business as a whole. Failure to judiciously control the very existence of service accounts means failure to reduce the attack surface of virtually all IT systems.
Five key questions
To negate these risks, it is crucial to ensure these privileged accounts exist only as long as they are needed for, and no longer. Mature management of your privileged accounts means a business will be able to answer the following five questions:
* Why does this privileged account exist?
* Who is accountable for its existence?
* Who approved the existence and why?
* When was the approval granted?
* When last was the existence of this privileged account reviewed?
Only if you can answer all five of these questions capably can your company claim to be properly and truly in control of your privileged accounts. The key component that needs to be addressed is controlling the existence of your privileged accounts.
This should be achieved through the establishment of a definitive register of these accounts. The system used for this register is of no import; what matters is that it enables you to manage the life cycle of the account.
This encompasses recording decisions made around this life cycle, providing the reports and audit trails that are required by the organisation, and most importantly, integrating with your existing environment and systems, in order to make the automation of the life cycle possible.
Moreover, it must also be noted that being able to answer all five of these questions satisfactorily is only part of the challenge. More crucially, you need to understand that answering them may be of little worth unless you can prove to auditors that you have answered them accurately.
You have only arrived at true governance once you can demonstrate and substantiate the fact that the answers to these questions are comprehensive, accurate and reliable.
After all, as we mentioned earlier, the issues of governance, risk and compliance (GRC) are taking on an ever greater importance in most organisations, and with an effective GRC policy requiring proof for the auditors, being able to substantiate your answers to these five questions is more vital than ever.
Ultimately, however, the most important reason for ensuring complete and effective life cycle management for your privileged accounts boils down to ensuring your company's own safety and security.
Bad management inevitably leads to points of access remaining open where people with mischief in mind will be able to gain access into your business.
This one little hole can then become a great big door through which an attacker - be they external or internal - can happily stroll through and cause untold amounts of damage to your organisation. Badly managed privileged accounts are the equivalent of leaving your company's back door wide open.
Share